Closed kjk closed 13 years ago
The simplest repro for this is: "*ca"
find_emph_char() will be called with data pointing to "ca" and c == '*'.
while (i < size) { while (i < size && data[i] != c && data[i] != '`' && data[i] != '[') i += 1; if (data[i] == c) return i;
Since there is no '*' in "ca", at this point i == size and data[i] == data[size] i.e. one byte past data. The fix is to add:
if (i >= size) return 0;
It rarely will be fatal in C due to padding inside struct buf. I found it while testing my Go port (https://github.com/kjk/go-markup/commit/122da5f0ca90120bc2840eeeffdd34413286c718) where I use slices for data and Go is unforgiving about out-of-bounds slice access.
Nice find. Working on a fix...
Sorry this took too long. Just pushed a fix, it'll be on the next minor release.
The simplest repro for this is: "*ca"
find_emph_char() will be called with data pointing to "ca" and c == '*'.
Since there is no '*' in "ca", at this point i == size and data[i] == data[size] i.e. one byte past data. The fix is to add:
It rarely will be fatal in C due to padding inside struct buf. I found it while testing my Go port (https://github.com/kjk/go-markup/commit/122da5f0ca90120bc2840eeeffdd34413286c718) where I use slices for data and Go is unforgiving about out-of-bounds slice access.